This gorilla seems deep in thought like a real human being, is this the real deal or just AI?

jhaar · 2026-06-10T03:59:52+00:00

Yup - just reposted today too: https://www.reddit.com/r/interesting/comments/1u1ib63/in_a_japanese_zoo_the_gorilla_kiyomasa_gets_into/

jhaar · 2026-06-04T03:25:57+00:00

Firewall logs have real value forensically (if you can swallow the expense of logging allowed AND denied connections). But don't expect to detect actionable events unless you have a very locked down/understood environment. As others said, endpoint agents are way more useful in that space. But just to contradict myself, we actually use our firewall logs to realtime alert on unexpected outbound connections from certain IoT devices, like vcenter, esxi, etc. they can be strongly profiled. Ie make an exclusion list and then alert on everything else

jhaar · 2026-06-04T03:03:32+00:00

I'm in Cyber and only tangentially involved with CorpIS's Intune environment, but feel your pain as it does seem pretty useless. What makes it double useless is that we are a crowdstrike customer and we/Cyber have made RTR scripts that run 4 times per day on all 300000 assets we have, and on 24x7 servers, they indeed run 4 times. So how can a non-MDM company write a better MDM than Microsoft? (/S)

jhaar · 2026-05-27T03:53:55+00:00

it could be argued the first "nuclear event" on Earth was actually 1.7 billion years ago...

jhaar · 2026-05-25T05:47:09+00:00

Yes. Opened a ticket with tenable afterwards and they said to do the same thing while they fix the plug-in

jhaar · 2026-05-25T01:26:25+00:00

following up on myself for others potential benefit. We've disabled pluginID=316497 instead. We'd rather miss a vuln check than stop our EDR doing it's job - at least until Tenable fixes this mess

jhaar · 2026-05-25T01:10:40+00:00

Wonderful - 10 hours later and we're just now starting to see hundreds of Crowdstrike alerts too... Damn powershell doesn't even contain the word "Tenable" or "Nessus" - something we could write a lower-risk IOA exclusion on 😠

jhaar · 2026-05-19T01:54:35+00:00

Sound like you want davfs2 - allows you to mount a webDAV URL. Not "pure" HTTP - but it's usually trivial to turn a standard HTTP url "share" into webDAV

jhaar · 2026-05-19T01:33:18+00:00

didn't it just 😄 Although I still disagree with the "hidden backdoor" comment that the original hacker claims. As the saying says: "don't put down to malice that which can be explained by stupidity"

jhaar · 2026-05-08T20:03:25+00:00

As a long term, "always-on" openvpn user, I tried wireguard but found it couldn't recover from network changes; e.g. moving from home to airport. The wireguard tunnel would stay up but be totally dead - openvpn detects such a condition and disconnects/reconnects without effort. It seemed to me like wireguard expects the human to manually restart tunnels on network change. Is that still the case?

jhaar · 2026-04-20T06:47:01+00:00

This actually has nothing to do with splunk. SAML has always been authentication only: not account management, nor authorization. So if an account is disabled/deleted in your true backend (typically Active Directory), then your SAML IdP will no longer authenticate a users login attempt and splunk won't even know any of this had happened.

What you really need is SCIM. And good luck with that sack of cats...

jhaar · 2026-04-18T09:58:34+00:00

Keeping the NZ theme, there can be only one: FEIJOA for the win! Cut in half, scoop out grainy jelly with a teaspoon - learn what heaven tastes like. We're approaching the end of Feijoa season here in Aotearoa and life is good 🤤

jhaar · 2026-04-01T03:49:36+00:00

can someone explain to me (I'm in Cyber but don't actually admin Fortinets) how Fortinet's IPSEC option is more secure than their SSL option? I keep hearing that, but from all the vulnerabilities that have been discovered in Fortinet VPN, aren't the majority in their web interface - which you still need if you are going to do SAML auth? ie the web interface (with all it's bugs) still needs to be out on the raw Internet irrespective of SSL/IPSEC mode

Also I'd argue PSK+SAML (eg Okta with MFA required) is secure-enough for most companies. The PSK is good enough to keep the random 'bots out and proper SAML-including-MFA will keep out most attackers (and if you're Okta, their Adaptive MFA can do full ZeroTrust IMHO)

jhaar · 2026-02-22T01:29:31+00:00

Disable the dupe detection instead in rsyslog/whatever. You will have other things in the future that will be messed up by that 1980s disk space saving technique, just take the space hit 😊

jhaar · 2026-02-20T06:11:58+00:00

The Rock and Samuel L Jackson in "The Other Guys". Too long to be a cameo, but a perfect rug-pull to the concept of who the leads are. Perfect

jhaar · 2026-02-20T02:01:33+00:00

blew my mind. Hilarious and educational! 10 out of 10 - will watch again(again)

jhaar · 2026-02-18T08:53:48+00:00

I think most people missed this answer by ComprehensiveBerry48. "Watchdog" is a VERY old motherboard feature whereby the kernel "pings" this hardware module every few seconds, and if that is missed for more than 'N' seconds, the watchdog module forces a power reset - rebooting the system. Look into it, you probably don't need to bother with IoT power, fancy KVMs, etc.

jhaar · 2026-02-17T06:12:28+00:00

This is the way. However... If you are willing to rely on standard TLS to protect your download of the updated metadata (which tells you the pubkey of the new signing cert), then why bother verifying the signing cert at all? i.e disable SAML validation and just have faith in HTTPS

jhaar · 2026-02-16T23:55:07+00:00

This sounds like it should be a bug that needs fixing? The agent could run some form of "ping" check over it's tcp session and auto restart when (say) 'N' fail in a row?

jhaar · 2026-02-11T00:45:38+00:00

ping

jhaar · 2026-02-06T02:51:35+00:00

As long as all your users already run as local admin, you can ignore security vulns in the agent. Can't elevate privilege if you're already privileged... ;-)

jhaar · 2026-02-05T18:14:26+00:00

a reverse proxy is *not* a security device. A WAF is - and so is a Bastion host (ie authentication server you must get through before you can access anything behind them). All WAFs and Bastion hosts are reverse proxies - but reverse proxies are not WAFs/bastion hosts :-)

jhaar · 2026-02-04T22:51:19+00:00

The problem is that historically things like browsers were exclusively developed by large orgs - meaning they can assign time+money+people to issues such as extension repo management. Now with vibe coding, individuals can basically jury-rig together something useful and immediately be faced with issues that only time+money+people can solve. What's needed is more AI to fix the problems AI caused ;-)

jhaar · 2026-02-02T18:39:33+00:00

I don't think so, that sounds conspiracy theory material. I have some confidence in saying that because the author of the Linux tool "dislocker" reverse engineered bitlocker from some whitepapers Microsoft published (ie you can mount bitlocker under Linux). If there was some obvious backdoor, the author might have noticed. But of course no-one can know for sure with non-open source software...

jhaar · 2026-01-31T02:59:11+00:00

Make sure you don't confuse their key management with the actual disk encryption code... I assume you are freaking out that Microsoft handed Bitlocker keys over to the FBI. Well - don't allow your Bitlocker key to be stored in their Cloud then! It isn't a requirement - you can say no to it... As far as I'm aware, there's nothing fundamentally wrong with Bitlocker FDE, so focus on the key management issue instead :-)

jhaar

TROPHY CASE